Anyone on staff in the outpatient wound clinic setting has likely experienced the clamoring for photographs and cameras that can occur at the end of a shift. The misplacement or outright loss of a camera potentially containing photographs and patients’ protected health information (PHI) is a program manager’s biggest fear and worst nightmare. In a world where social media enables a skilled Facebook or Twitter user to post a picture online within seconds, camera security should be a high priority in any wound clinic to protect patient privacy. Nobody, regardless of how financially successful one’s program may be, wants to explain to the corporate compliance officer that potentially harmful photographs, as they pertain to PHI, have been lost, stolen, or compromised. Most clinicians within a wound center are regularly photographing and measuring chronic wounds for the purpose of assisting documentation and tracking wound healing progression or treatment failures. Typically, traditional digital cameras that can be purchased at many department stores are utilized for this photo-acquisition process. The photos taken may contain labels depicting the wound’s number and location, as well as the patient’s name. In many instances the storing of these photos is commonly conducted via upload within the patient’s electronic health record (EHR). As the operating manager of two wound centers at Excela Health, a health system based in Greensburg, PA, that sees more than 1,000 patient visits per month, I have long been concerned about the issue of camera and photo security. My staff’s vulnerability is quite significant should a camera go unprotected, as it pertains to HIPAA compliance, and find its way into someone’s possession outside of the wound center.
HIPAA Privacy & Security Compliance: Managing the Use of Photographs and Videos in the Wound Clinic
Effectiveness of Color Calibrated Photo Documentation in the Wound Care Clinic
Taking Appropriate Photo Precautions
In an effort to come as close to ensuring the total protection of our clinical photographs as possible, I enlisted the assistance of our information technology (IT) and telecom departments, and together we explored various options before deciding upon the utilization of iPhones as our everyday clinical cameras. The reasons for this are many. Consider: The phones are relatively small, lightweight, and the camera function provides good resolution (sometimes identified by the width and height of an image, as well as the total number of pixels in the image). Additionally, most people are used to seeing and/or using the iPhone, which helps patients feel more comfortable when their photos are being taken with the device. (Our telecom department staff had some older iPhones that were given to us to use.)
The phones were then encrypted with a password and our IT team searched for a free app for wireless photo transfers to be conducted over our secure network. We then installed the app on the phones and our desktop computer, which is utilized to upload photos to the EHR. Once the photos are uploaded to the EHR, which occurs immediately after each patient visit, they are permanently deleted from the phones. This step in our process is crucial as it relates to HIPAA compliance because password protection on the phone alone is not enough to meet HIPAA standards. The distinction here is that in order to ensure patient privacy the photos must immediately be securely uploaded to the EHR (and individually encrypted) and permanently deleted from the phone. Our IT team also took the added step of disabling all iPhone functionality with the exception of the camera mode and the app for photo transfers. This essentially allowed us to convert the iPhones to cameras that allow us to send photos wirelessly to a shared computer within each center at a cost relatable to that of purchasing traditional digital cameras. Today, as part of our initiative as a “Lean” organization,1 our staff members and our patients enjoy a heightened level of photo security through the identifying of waste and the promoting of safety — two core “Lean” concepts. This is just one example of how Excela Health embraces and promotes a “Lean” culture.1 As a bonus, the wireless transfer of photos is a faster and more user-friendly process as compared to our previous procedure. Should an iPhone be lost or stolen, we would at least know that photos taken with the device had been previously uploaded to the EHR and then deleted. Additionally, the IT team has the ability to wipe clean any phone of all stored data at any time. Our health system’s IT and telecom departments were key players in this initiative, partnering with our clinical staff to eliminate this vulnerability within our wound centers.
Thomas Capco is system director, ambulatory and outpatient services, at Excela Health, Greensburg, PA.
1. Lean Enterprise Institute. Accessed online: www.lean.org